GHSA-632p-p495-25m5

Suggest an improvement
Source
https://github.com/advisories/GHSA-632p-p495-25m5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-632p-p495-25m5/GHSA-632p-p495-25m5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-632p-p495-25m5
Aliases
Published
2024-06-04T17:53:29Z
Modified
2024-06-04T17:53:29Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Directus is soft-locked by providing a string value to random string util
Details

Describe the Bug

Providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be refreshed as sessions depend on the capability to generate a random session ID.

To Reproduce

  1. Test if the endpoint is working and accessible, GET http://localhost:8055/utils/random/string
  2. Do a bad request GET http://localhost:8055/utils/random/string?length=foo
  3. After this all calls to GET http://localhost:8055/utils/random/string will return an empty string instead of a random string
  4. In this error situation you'll see authentication refreshes fail for the app and api.

Impact

This counts as an unauthenticated denial of service attack vector so this impacts all unpatched instances reachable over the internet.

References

Affected packages

npm / directus

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.11.2

Database specific

{
    "last_known_affected_version_range": "<= 10.11.1"
}